<!DOCTYPE html>
<html lang=zh>
<head>
    <!-- so meta -->
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="HandheldFriendly" content="True">
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" />
    <meta name="description" content="命令执行漏洞绕过总结 只是简单的将个人遇到的命令执行漏洞绕过整合在一起，方便个人使用，后续遇到新的绕过会添加进来     常见的绕过方式: 通配符绕过  各种命令执行函数 空格绕过 cat过滤绕过 各种 php:&#x2F;&#x2F;伪协议 绕过 无字母数字绕过(或，异或) %0a截断, “;”截断 条件竞争 open_dir绕过 利用各种变量和函数进行构造 管道符  上述绕过方式基本上都有">
<meta property="og:type" content="article">
<meta property="og:title" content="[漏洞总结]命令执行漏洞绕过总结">
<meta property="og:url" content="https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/index.html">
<meta property="og:site_name" content="TonyD0g">
<meta property="og:description" content="命令执行漏洞绕过总结 只是简单的将个人遇到的命令执行漏洞绕过整合在一起，方便个人使用，后续遇到新的绕过会添加进来     常见的绕过方式: 通配符绕过  各种命令执行函数 空格绕过 cat过滤绕过 各种 php:&#x2F;&#x2F;伪协议 绕过 无字母数字绕过(或，异或) %0a截断, “;”截断 条件竞争 open_dir绕过 利用各种变量和函数进行构造 管道符  上述绕过方式基本上都有">
<meta property="og:locale" content="zh_CN">
<meta property="article:published_time" content="2022-01-05T07:23:18.000Z">
<meta property="article:modified_time" content="2023-07-20T07:35:34.599Z">
<meta property="article:author" content="TonyD0g">
<meta name="twitter:card" content="summary">
    
    
        
          
              <link rel="shortcut icon" href="/images/favicon.ico">
          
        
        
          
            <link rel="icon" type="image/png" href="/images/favicon-192x192.png" sizes="192x192">
          
        
        
          
            <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon.png">
          
        
    
    <!-- title -->
    <title>[漏洞总结]命令执行漏洞绕过总结</title>
    <!-- styles -->
    
<link rel="stylesheet" href="/css/style.css">

    <!-- persian styles -->
    
      
<link rel="stylesheet" href="/css/rtl.css">

    
    <!-- rss -->
    
    
<meta name="generator" content="Hexo 4.2.1"></head>

<body class="max-width mx-auto px3 ltr">
    
      <div id="header-post">
  <a id="menu-icon" href="#"><i class="fas fa-bars fa-lg"></i></a>
  <a id="menu-icon-tablet" href="#"><i class="fas fa-bars fa-lg"></i></a>
  <a id="top-icon-tablet" href="#" onclick="$('html, body').animate({ scrollTop: 0 }, 'fast');" style="display:none;"><i class="fas fa-chevron-up fa-lg"></i></a>
  <span id="menu">
    <span id="nav">
      <ul>
         
          <li><a href="/">首页</a></li>
         
          <li><a href="/about/">关于</a></li>
         
          <li><a href="/tags/">标签</a></li>
         
          <li><a href="/friends/">friends</a></li>
         
          <li><a href="/archives/">归档</a></li>
         
          <li><a href="https://github.com/TonyD0g">项目</a></li>
         
          <li><a href="/search/">搜索</a></li>
        
      </ul>
    </span>
    <br/>
    <span id="actions">
      <ul>
        
        <li><a class="icon" href="/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/"><i class="fas fa-chevron-left" aria-hidden="true" onmouseover="$('#i-prev').toggle();" onmouseout="$('#i-prev').toggle();"></i></a></li>
        
        
        <li><a class="icon" href="/2022/01/05/WAF%E7%BB%95%E8%BF%87%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%92%8CWebshell%E5%85%8D%E6%9D%80%E7%AF%87/"><i class="fas fa-chevron-right" aria-hidden="true" onmouseover="$('#i-next').toggle();" onmouseout="$('#i-next').toggle();"></i></a></li>
        
        <li><a class="icon" href="#" onclick="$('html, body').animate({ scrollTop: 0 }, 'fast');"><i class="fas fa-chevron-up" aria-hidden="true" onmouseover="$('#i-top').toggle();" onmouseout="$('#i-top').toggle();"></i></a></li>
        <li><a class="icon" href="#"><i class="fas fa-share-alt" aria-hidden="true" onmouseover="$('#i-share').toggle();" onmouseout="$('#i-share').toggle();" onclick="$('#share').toggle();return false;"></i></a></li>
      </ul>
      <span id="i-prev" class="info" style="display:none;">上一篇</span>
      <span id="i-next" class="info" style="display:none;">下一篇</span>
      <span id="i-top" class="info" style="display:none;">返回顶部</span>
      <span id="i-share" class="info" style="display:none;">分享文章</span>
    </span>
    <br/>
    <div id="share" style="display: none">
      <ul>
  <li><a class="icon" href="http://www.facebook.com/sharer.php?u=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/" target="_blank" rel="noopener"><i class="fab fa-facebook " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://twitter.com/share?url=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/&text=[漏洞总结]命令执行漏洞绕过总结" target="_blank" rel="noopener"><i class="fab fa-twitter " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.linkedin.com/shareArticle?url=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/&title=[漏洞总结]命令执行漏洞绕过总结" target="_blank" rel="noopener"><i class="fab fa-linkedin " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://pinterest.com/pin/create/bookmarklet/?url=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/&is_video=false&description=[漏洞总结]命令执行漏洞绕过总结" target="_blank" rel="noopener"><i class="fab fa-pinterest " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="mailto:?subject=[漏洞总结]命令执行漏洞绕过总结&body=Check out this article: https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/"><i class="fas fa-envelope " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://getpocket.com/save?url=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/&title=[漏洞总结]命令执行漏洞绕过总结" target="_blank" rel="noopener"><i class="fab fa-get-pocket " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://reddit.com/submit?url=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/&title=[漏洞总结]命令执行漏洞绕过总结" target="_blank" rel="noopener"><i class="fab fa-reddit " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.stumbleupon.com/submit?url=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/&title=[漏洞总结]命令执行漏洞绕过总结" target="_blank" rel="noopener"><i class="fab fa-stumbleupon " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://digg.com/submit?url=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/&title=[漏洞总结]命令执行漏洞绕过总结" target="_blank" rel="noopener"><i class="fab fa-digg " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.tumblr.com/share/link?url=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/&name=[漏洞总结]命令执行漏洞绕过总结&description=" target="_blank" rel="noopener"><i class="fab fa-tumblr " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://news.ycombinator.com/submitlink?u=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/&t=[漏洞总结]命令执行漏洞绕过总结" target="_blank" rel="noopener"><i class="fab fa-hacker-news " aria-hidden="true"></i></a></li>
</ul>

    </div>
    <div id="toc">
      <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#命令执行漏洞绕过总结"><span class="toc-number">1.</span> <span class="toc-text">命令执行漏洞绕过总结</span></a><ol class="toc-child"><li class="toc-item toc-level-5"><a class="toc-link" href="#"><span class="toc-number">1.0.0.0.1.</span> <span class="toc-text">
只是简单的将个人遇到的命令执行漏洞绕过整合在一起，方便个人使用，后续遇到新的绕过会添加进来
</span></a></li></ol></li></ol></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#常见的绕过方式"><span class="toc-number">1.1.</span> <span class="toc-text">常见的绕过方式:</span></a><ol class="toc-child"><li class="toc-item toc-level-5"><a class="toc-link" href="#"><span class="toc-number">1.1.0.0.1.</span> <span class="toc-text">上述绕过方式基本上都有人发表过技术文章，我就不做重复工作了，要看复现就看下面的友链或我写的随笔:</span></a></li></ol></li></ol></li><li class="toc-item toc-level-3"><a class="toc-link" href="#"><span class="toc-number">1.1.1.</span> <span class="toc-text">1.通配符绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#"><span class="toc-number">1.1.2.</span> <span class="toc-text">2.常用命令执行函数</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#"><span class="toc-number">1.1.3.</span> <span class="toc-text">3.空格绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#"><span class="toc-number">1.1.4.</span> <span class="toc-text">4.cat过滤绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#"><span class="toc-number">1.1.5.</span> <span class="toc-text">5.各种 php:&#x2F;&#x2F;伪协议 绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#"><span class="toc-number">1.1.6.</span> <span class="toc-text">6.无字母数字绕过(或，异或)</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#"><span class="toc-number">1.1.7.</span> <span class="toc-text">8.条件竞争</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#"><span class="toc-number">1.2.</span> <span class="toc-text">10.个人复现</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#管道符"><span class="toc-number">1.3.</span> <span class="toc-text">管道符:</span></a><ol class="toc-child"><li class="toc-item toc-level-4"><a class="toc-link" href="#Windows"><span class="toc-number">1.3.0.1.</span> <span class="toc-text">Windows:</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#Linux"><span class="toc-number">1.3.0.2.</span> <span class="toc-text">Linux:</span></a></li></ol></li></ol></li></ol></li></ol>
    </div>
  </span>
</div>

    
    <div class="content index py4">
        
        <article class="post" itemscope itemtype="http://schema.org/BlogPosting">
  <header>
    
    <h1 class="posttitle" itemprop="name headline">
        [漏洞总结]命令执行漏洞绕过总结
    </h1>



    <div class="meta">
      <span class="author" itemprop="author" itemscope itemtype="http://schema.org/Person">
        <span itemprop="name">TonyD0g</span>
      </span>
      
    <div class="postdate">
      
        <time datetime="2022-01-05T07:23:18.000Z" itemprop="datePublished">2022-01-05</time>
        
        (Updated: <time datetime="2023-07-20T07:35:34.599Z" itemprop="dateModified">2023-07-20</time>)
        
      
    </div>


      

      

    </div>
  </header>
  

  <div class="content" itemprop="articleBody">
    <span id="more"></span>

<h1 id="命令执行漏洞绕过总结"><a href="#命令执行漏洞绕过总结" class="headerlink" title="命令执行漏洞绕过总结"></a>命令执行漏洞绕过总结</h1><h5>
只是简单的将个人遇到的命令执行漏洞绕过整合在一起，方便个人使用，后续遇到新的绕过会添加进来
</h5>



<h2 id="常见的绕过方式"><a href="#常见的绕过方式" class="headerlink" title="常见的绕过方式:"></a>常见的绕过方式:</h2><ol>
<li>通配符绕过 </li>
<li>各种命令执行函数</li>
<li>空格绕过</li>
<li>cat过滤绕过</li>
<li>各种 php:&#x2F;&#x2F;伪协议 绕过</li>
<li>无字母数字绕过(或，异或)</li>
<li>%0a截断, “;”截断</li>
<li>条件竞争</li>
<li>open_dir绕过</li>
<li>利用各种变量和函数进行构造</li>
<li>管道符</li>
</ol>
<h5>上述绕过方式基本上都有人发表过技术文章，我就不做重复工作了，要看复现就看下面的友链或我写的随笔:</h5>

<h3>1.通配符绕过</h3>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">*	匹配任何字符串／文本，包括空字符串；*代表任意字符（0个或多个） ls file *</span><br><span class="line">?	匹配任何一个字符（不在括号内时）?代表任意1个字符 ls file 0</span><br><span class="line">[abcd]	匹配abcd中任何一个字符</span><br><span class="line">[a-z]	表示范围a到z，表示范围的意思 []匹配中括号中任意一个字符 ls file 0</span><br></pre></td></tr></table></figure>

<h3>2.常用命令执行函数</h3>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">反引号 `</span><br><span class="line">system()</span><br><span class="line">passthru()</span><br><span class="line">exec()</span><br><span class="line">shell_exec()</span><br><span class="line">popen()</span><br><span class="line">proc_open()</span><br><span class="line">pcntl_exec()</span><br><span class="line">反引号 同shell_exec() </span><br></pre></td></tr></table></figure>

<h3>3.空格绕过</h3>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">&gt; &lt; &lt;&gt; 重定向符</span><br><span class="line">%09(需要php环境)</span><br><span class="line">$&#123;IFS&#125; </span><br><span class="line">$IFS$9</span><br><span class="line">&#123;cat,flag.php&#125; //用逗号实现了空格功能</span><br><span class="line">%20 </span><br><span class="line">%09</span><br></pre></td></tr></table></figure>

<h3>4.cat过滤绕过</h3>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">more:一页一页的显示档案内容</span><br><span class="line">less:与 more 类似</span><br><span class="line">head:查看头几行</span><br><span class="line">tac:从最后一行开始显示，可以看出 tac 是 cat 的反向显示</span><br><span class="line">tail:查看尾几行</span><br><span class="line">nl：显示的时候，顺便输出行号</span><br><span class="line">od:以二进制的方式读取档案内容</span><br><span class="line">vi:一种编辑器，这个也可以查看</span><br><span class="line">vim:一种编辑器，这个也可以查看</span><br><span class="line">sort:可以查看</span><br><span class="line">uniq:可以查看</span><br><span class="line">file -f:报错出具体内容</span><br><span class="line">grep</span><br><span class="line">1、在当前目录中，查找后缀有 file 字样的文件中包含 test 字符串的文件，并打印出该字符串的行。此时，可以使用如下命令：</span><br><span class="line">grep test *file</span><br><span class="line">strings</span><br></pre></td></tr></table></figure>

<h3>5.各种 php://伪协议 绕过</h3>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">https://segmentfault.com/a/1190000018991087</span><br></pre></td></tr></table></figure>

<h3>6.无字母数字绕过(或，异或)</h3>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">https://blog.csdn.net/miuzzx/article/details/108569080?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522163404522216780357211556%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&amp;request_id=163404522216780357211556&amp;biz_id=0&amp;utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_v2~rank_v29-1-108569080.pc_v2_rank_blog_default&amp;utm_term=41&amp;spm=1018.2226.3001.4450</span><br><span class="line">https://github.com/TonyD0g/PythonHacker/tree/master/Python%E9%9A%8F%E6%83%B3/Web/%E6%97%A0%E5%AD%97%E6%AF%8D%E6%95%B0%E5%AD%97%E7%BB%95%E8%BF%87%E6%AD%A3%E5%88%99%E8%A1%A8%E8%BE%BE%E5%BC%8F</span><br></pre></td></tr></table></figure>


<h3>8.条件竞争</h3>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">https://www.xiinnn.com/article/3fceb7b2.html</span><br></pre></td></tr></table></figure>

<h2>10.个人复现</h2>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://note.youdao.com/noteshare?id=0770b21e096034ed414ad7722b7de8fe&amp;sub=A6B18BC0B315429CA5C136AAB5B09C2F</span><br></pre></td></tr></table></figure>

<h2 id="管道符"><a href="#管道符" class="headerlink" title="管道符:"></a>管道符:</h2><h4 id="Windows"><a href="#Windows" class="headerlink" title="Windows:"></a>Windows:</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">|直接执行后面的语句</span><br><span class="line">||如果前面命令是错的那么就执行后面的语句，否则只执行前面的语句</span><br><span class="line">&amp;前面和后面命令都要执行，无论前面真假</span><br><span class="line">&amp;&amp;如果前面为假，后面的命令也不执行，如果前面为真则执行两条命令</span><br></pre></td></tr></table></figure>

<h4 id="Linux"><a href="#Linux" class="headerlink" title="Linux:"></a>Linux:</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">;前面和后面命令都要执行，无论前面真假</span><br><span class="line">|直接执行后面的语句</span><br><span class="line">||如果前面命令是错的那么就执行后面的语句，否则只执行前面的语句</span><br><span class="line">&amp;前面和后面命令都要执行，无论前面真假</span><br><span class="line">&amp;&amp;如果前面为假，后面的命令也不执行，如果前面为真则执行两条命令</span><br></pre></td></tr></table></figure>


  </div>
</article>



        
          <div id="footer-post-container">
  <div id="footer-post">

    <div id="nav-footer" style="display: none">
      <ul>
         
          <li><a href="/">首页</a></li>
         
          <li><a href="/about/">关于</a></li>
         
          <li><a href="/tags/">标签</a></li>
         
          <li><a href="/friends/">friends</a></li>
         
          <li><a href="/archives/">归档</a></li>
         
          <li><a href="https://github.com/TonyD0g">项目</a></li>
         
          <li><a href="/search/">搜索</a></li>
        
      </ul>
    </div>

    <div id="toc-footer" style="display: none">
      <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#命令执行漏洞绕过总结"><span class="toc-number">1.</span> <span class="toc-text">命令执行漏洞绕过总结</span></a><ol class="toc-child"><li class="toc-item toc-level-5"><a class="toc-link" href="#"><span class="toc-number">1.0.0.0.1.</span> <span class="toc-text">
只是简单的将个人遇到的命令执行漏洞绕过整合在一起，方便个人使用，后续遇到新的绕过会添加进来
</span></a></li></ol></li></ol></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#常见的绕过方式"><span class="toc-number">1.1.</span> <span class="toc-text">常见的绕过方式:</span></a><ol class="toc-child"><li class="toc-item toc-level-5"><a class="toc-link" href="#"><span class="toc-number">1.1.0.0.1.</span> <span class="toc-text">上述绕过方式基本上都有人发表过技术文章，我就不做重复工作了，要看复现就看下面的友链或我写的随笔:</span></a></li></ol></li></ol></li><li class="toc-item toc-level-3"><a class="toc-link" href="#"><span class="toc-number">1.1.1.</span> <span class="toc-text">1.通配符绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#"><span class="toc-number">1.1.2.</span> <span class="toc-text">2.常用命令执行函数</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#"><span class="toc-number">1.1.3.</span> <span class="toc-text">3.空格绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#"><span class="toc-number">1.1.4.</span> <span class="toc-text">4.cat过滤绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#"><span class="toc-number">1.1.5.</span> <span class="toc-text">5.各种 php:&#x2F;&#x2F;伪协议 绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#"><span class="toc-number">1.1.6.</span> <span class="toc-text">6.无字母数字绕过(或，异或)</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#"><span class="toc-number">1.1.7.</span> <span class="toc-text">8.条件竞争</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#"><span class="toc-number">1.2.</span> <span class="toc-text">10.个人复现</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#管道符"><span class="toc-number">1.3.</span> <span class="toc-text">管道符:</span></a><ol class="toc-child"><li class="toc-item toc-level-4"><a class="toc-link" href="#Windows"><span class="toc-number">1.3.0.1.</span> <span class="toc-text">Windows:</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#Linux"><span class="toc-number">1.3.0.2.</span> <span class="toc-text">Linux:</span></a></li></ol></li></ol></li></ol></li></ol>
    </div>

    <div id="share-footer" style="display: none">
      <ul>
  <li><a class="icon" href="http://www.facebook.com/sharer.php?u=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/" target="_blank" rel="noopener"><i class="fab fa-facebook fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://twitter.com/share?url=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/&text=[漏洞总结]命令执行漏洞绕过总结" target="_blank" rel="noopener"><i class="fab fa-twitter fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.linkedin.com/shareArticle?url=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/&title=[漏洞总结]命令执行漏洞绕过总结" target="_blank" rel="noopener"><i class="fab fa-linkedin fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://pinterest.com/pin/create/bookmarklet/?url=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/&is_video=false&description=[漏洞总结]命令执行漏洞绕过总结" target="_blank" rel="noopener"><i class="fab fa-pinterest fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="mailto:?subject=[漏洞总结]命令执行漏洞绕过总结&body=Check out this article: https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/"><i class="fas fa-envelope fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://getpocket.com/save?url=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/&title=[漏洞总结]命令执行漏洞绕过总结" target="_blank" rel="noopener"><i class="fab fa-get-pocket fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://reddit.com/submit?url=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/&title=[漏洞总结]命令执行漏洞绕过总结" target="_blank" rel="noopener"><i class="fab fa-reddit fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.stumbleupon.com/submit?url=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/&title=[漏洞总结]命令执行漏洞绕过总结" target="_blank" rel="noopener"><i class="fab fa-stumbleupon fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://digg.com/submit?url=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/&title=[漏洞总结]命令执行漏洞绕过总结" target="_blank" rel="noopener"><i class="fab fa-digg fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.tumblr.com/share/link?url=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/&name=[漏洞总结]命令执行漏洞绕过总结&description=" target="_blank" rel="noopener"><i class="fab fa-tumblr fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://news.ycombinator.com/submitlink?u=https://github.com/TonyD0g/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/&t=[漏洞总结]命令执行漏洞绕过总结" target="_blank" rel="noopener"><i class="fab fa-hacker-news fa-lg" aria-hidden="true"></i></a></li>
</ul>

    </div>

    <div id="actions-footer">
        <a id="menu" class="icon" href="#" onclick="$('#nav-footer').toggle();return false;"><i class="fas fa-bars fa-lg" aria-hidden="true"></i> 菜单</a>
        <a id="toc" class="icon" href="#" onclick="$('#toc-footer').toggle();return false;"><i class="fas fa-list fa-lg" aria-hidden="true"></i> 目录</a>
        <a id="share" class="icon" href="#" onclick="$('#share-footer').toggle();return false;"><i class="fas fa-share-alt fa-lg" aria-hidden="true"></i> 分享</a>
        <a id="top" style="display:none" class="icon" href="#" onclick="$('html, body').animate({ scrollTop: 0 }, 'fast');"><i class="fas fa-chevron-up fa-lg" aria-hidden="true"></i> 返回顶部</a>
    </div>

  </div>
</div>

        
        <footer id="footer">
  <div class="footer-left">
    Copyright &copy;
    
    
    2016-2023
    TonyD0g
  </div>
  <div class="footer-right">
    <nav>
      <ul>
         
          <li><a href="/">首页</a></li>
         
          <li><a href="/about/">关于</a></li>
         
          <li><a href="/tags/">标签</a></li>
         
          <li><a href="/friends/">friends</a></li>
         
          <li><a href="/archives/">归档</a></li>
         
          <li><a href="https://github.com/TonyD0g">项目</a></li>
         
          <li><a href="/search/">搜索</a></li>
        
      </ul>
    </nav>
  </div>
</footer>

    </div>
    <!-- styles -->

<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">


<link rel="stylesheet" href="/lib/justified-gallery/css/justifiedGallery.min.css">


    <!-- jquery -->

<script src="/lib/jquery/jquery.min.js"></script>


<script src="/lib/justified-gallery/js/jquery.justifiedGallery.min.js"></script>

<!-- clipboard -->

  
<script src="/lib/clipboard/clipboard.min.js"></script>

  <script type="text/javascript">
  $(function() {
    // copy-btn HTML
    var btn = "<span class=\"btn-copy tooltipped tooltipped-sw\" aria-label=\"复制到粘贴板!\">";
    btn += '<i class="far fa-clone"></i>';
    btn += '</span>'; 
    // mount it!
    $(".highlight table").before(btn);
    var clip = new ClipboardJS('.btn-copy', {
      text: function(trigger) {
        return Array.from(trigger.nextElementSibling.querySelectorAll('.code')).reduce((str,it)=>str+it.innerText+'\n','')
      }
    });
    clip.on('success', function(e) {
      e.trigger.setAttribute('aria-label', "复制成功!");
      e.clearSelection();
    })
  })
  </script>


<script src="/js/main.js"></script>

<!-- search -->

<!-- Google Analytics -->

    <script type="text/javascript">
        (function(i,s,o,g,r,a,m) {i['GoogleAnalyticsObject']=r;i[r]=i[r]||function() {
        (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
        m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
        })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
        ga('create', 'UA-84578611-1', 'auto');
        ga('send', 'pageview');
    </script>

<!-- Baidu Analytics -->

    <script type="text/javascript">
        var _hmt = _hmt || [];
        (function() {
            var hm = document.createElement("script");
            hm.src = "https://hm.baidu.com/hm.js?2e6da3c375c789455b664cea6d4cb29c";
            var s = document.getElementsByTagName("script")[0];
            s.parentNode.insertBefore(hm, s);
        })();
    </script>

<!-- Disqus Comments -->


</body>
</html>
